How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements



Similar documents
Achieving PCI-Compliance through Cyberoam

74% 96 Action Items. Compliance

SonicWALL PCI 1.1 Implementation Guide

PCI DSS Requirements - Security Controls and Processes

MEETING PCI DSS MERCHANT REQUIREMENTS WITH A WATCHGUARD FIREBOX

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Did you know your security solution can help with PCI compliance too?

LogRhythm and PCI Compliance

General Standards for Payment Card Environments at Miami University

1.3 Prohibit Direct Public Access - Prohibit direct public access between the Internet and any system component in the cardholder data environment.

University of Sunderland Business Assurance PCI Security Policy

GFI White Paper PCI-DSS compliance and GFI Software products

March

Achieving PCI DSS Compliance with Cinxi

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Implementation Guide

The Dirty Secret Behind the UTM: What Security Vendors Don t Want You to Know

Enforcing PCI Data Security Standard Compliance

PCI Data Security Standards (DSS)

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

Visa U.S.A Cardholder Information Security Program (CISP) Payment Application Best Practices

The Comprehensive Guide to PCI Security Standards Compliance

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

CorreLog Alignment to PCI Security Standards Compliance

Global Partner Management Notice

Enabling PCI Compliance with Radware APSolute Solutions Solution Paper

Retail Stores Networks and PCI compliance

Payment Card Industry Data Security Standard

Achieving PCI Compliance Using F5 Products

PCI DSS Compliance. with the Barracuda NG Firewall. White Paper

Becoming PCI Compliant

Using Skybox Solutions to Achieve PCI Compliance

PCI Requirements Coverage Summary Table

PCI Requirements Coverage Summary Table

Payment Card Industry (PCI) Data Security Standard. Version 1.1

Windows Azure Customer PCI Guide

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

Meeting PCI-DSS v1.2.1 Compliance Requirements. By Compliance Research Group

Payment Application Data Security Standards Implementation Guide

Payment Card Industry Data Security Standard

Payment Card Industry - Data Security Standard (PCI-DSS) Security Policy

PCI and PA DSS Compliance Assurance with LogRhythm

PCI COMPLIANCE Protecting Against External Threats Protecting Against the Insider Threat

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

PCI Compliance Can Make Your Organization Stronger and Fitter. Brent Harman Manager, Systems Consultant Team West NetPro Computing, Inc.

WHITEPAPER. Achieving Network Payment Card Industry Data Security Standard (PCI DSS) Compliance with NetMRI

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

A Rackspace White Paper Spring 2010

Teleran PCI Customer Case Study

Using the AppGate Network Segmentation Server TO ACHIEVE PCI COMPLIANCE

PCI PA - DSS. Point BKX Implementation Guide. Version Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

The Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements:

Tripwire PCI DSS Solutions: Automated, Continuous Compliance

Improving PCI Compliance with Network Configuration Automation

How Reflection Software Facilitates PCI DSS Compliance

PCI PA - DSS. Point ipos Implementation Guide. Version VeriFone Vx820 using the Point ipos Payment Core

Need to be PCI DSS compliant and reduce the risk of fraud?

Catapult PCI Compliance

Automate PCI Compliance Monitoring, Investigation & Reporting

PCI DSS Requirements Version 2.0 Milestone Network Box Comments. 6 Yes

Unified Security Anywhere PCI COMPLIANCE PCI COMPLIANCE WE CAN HELP MAKE IT HAPPEN

Network Security. Protective and Dependable. 52 Network Security. UTM Content Security Gateway CS-2000

Presented By: Bryan Miller CCIE, CISSP

SAQ D Compliance. Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 2

REDSEAL NETWORKS SOLUTION BRIEF. Proactive Network Intelligence Solutions For PCI DSS Compliance

How To Protect Data From Attack On A Network From A Hacker (Cybersecurity)

How To Protect A Web Application From Attack From A Trusted Environment

Compliance and Security Information Management for PCI DSS Requirement 10 and Beyond

Passing PCI Compliance How to Address the Application Security Mandates

Payment Card Industry (PCI) Compliance. Management Guidelines

Technology Innovation Programme

A brief on Two-Factor Authentication

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

Best Practices for PCI DSS V3.0 Network Security Compliance

Josiah Wilkinson Internal Security Assessor. Nationwide

Top Five Data Security Trends Impacting Franchise Operators. Payment System Risk September 29, 2009

PCI Compliance We Can Help Make it Happen

When it Comes to Monitoring and Validation it Takes More Than Just Collecting Logs

NETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9

whitepaper 4 Best Practices for Building PCI DSS Compliant Networks

PCI DSS 3.1 Security Policy

Firewall and Router Policy

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

Credit Card Security

PCI Compliance for Branch Offices: Using Router-Based Security to Protect Cardholder Data

Franchise Data Compromise Trends and Cardholder. December, 2010

You Can Survive a PCI-DSS Assessment

Transcription:

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

I n t r o d u c t i o n The Payment Card Industry Data Security Standard (PCI DSS) was developed in 2004 by the PCI Security Standards Council to ensure that companies entrusted with credit card data adopt consistent security measures to protect cardholder information when it is processed, stored, and transmitted. Known simply as "PCI", the purpose of the standard was to protect consumers through the prevention of credit card fraud, data theft, and other security threats. Compliance with PCI DSS is a business essential for any merchant or service provider that transmits, stores, or processes cardholder data related to any of the major credit card companies American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. Covered entities that are found to be non-pci compliant face fines of $5,000 to $25,000 per month. In the event a non-compliant company suffers a data breach, the fines can be as high as $500,000. In recent years, hackers and cyber criminals have successfully infiltrated merchants' systems, gaining access to the credit card numbers and other sensitive financial information of millions of consumers. In January 2007, computer systems of the nationwide discount retailer chain T.J. Maxx were hacked and information of at least 45.7 million credit and debit cards were stolen. The compromised data included credit card numbers, transaction information, and customer data. In January 2009, payment processing firm Heartland Payment Systems publicly disclosed that it had suffered a breach of its processing system in 2008. The scope of the damage from that breach could potentially surpass 100 million records. P C I C o m p l i a n c e R e q u i r e s R o b u s t S e c u r i t y M e a s u r e s Attacks from cyber criminals have become increasingly sophisticated, enabling them to easily bypass firewalls and other traditional methods of network security. As a result, defending the company s network assets against these threats now requires a multi-layered security solution. The PCI Security Standards Council has outlined the following six security categories for merchant compliance: 1. Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters 2. Protect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks 3. Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications 4. Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data 5. Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes 6. Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security The PCI Security Standards Council continually monitors these defenses for compliance, to ensure the highest level of safety against attack. 2

A c h i e v i n g a n d M a i n t a i n i n g P C I C o m p l i a n c e PCI compliance is about more than just avoiding fines from the Security Standards Council. It shows consumers the company's commitment to the safety of their sensitive data. Adhering to strong security standards also helps protect the company's reputation and brand image. Suffering a database security breach can cause irreparable damage to customer trust. With an enterprise-class 2-way firewall, industry-leading antivirus and anti-spam, and strong data encryption at the source, the NETGEAR ProSecure UTM supports the following requirements for PCI compliance: PCI DSS Requirement Details NETGEAR Solution Build and Maintain a Secure Network Requirement 1: Install and Maintain a Firewall Configuration to Protect Cardholder Data 1.2 1.2.1 1.2.3 1.3 1.3.1 Build a firewall configuration that restricts connections between untrusted networks and any system components in the cardholder data environment Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment. Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the cardholder data environment. Prohibit direct public access between the Internet and any system component in the cardholder data environment. Implement a DMZ to limit inbound and outbound traffic to only protocols that are necessary for the cardholder data environment. configurable DMZ where traffic to and from the trusted network is restricted unless otherwise specified in the firewall configuration. The NETGEAR ProSecure UTM contains firewall rules that restrict inbound and outbound traffic between LAN, WAN, and DMZ zones unless otherwise defined. Connect a wireless access point into the DMZ port on the NETGEAR ProSecure UTM, effectively separating wireless traffic from the trusted network (cardholder data environment). proven firewall, VPN, IPS, and enterprise-class content security filters to prevent unauthorized access to system components inside the company network. configurable DMZ where traffic to and from the trusted network is restricted unless otherwise specified in the firewall configuration. 1.3.2 Limit inbound Internet traffic to IP addresses within the DMZ. The NETGEAR ProSecure UTM can be configured to only allow inbound Internet traffic within the DMZ. 1.3.3 1.3.4 1.3.5 Do not allow any direct routes inbound or outbound for traffic between the Internet and the cardholder data environment. Do not allow internal addresses to pass from the Internet into the DMZ. Restrict outbound traffic from the cardholder data environment to the Internet such that outbound traffic can only access IP addresses within the DMZ. The NETGEAR ProSecure UTM contains firewall rules that restrict inbound and outbound traffic between the LAN (cardholder data environment) and WAN (Internet) zones. The NETGEAR ProSecure UTM does not allow internal addresses to be visible from the Internet. The NETGEAR ProSecure UTM can be configured to only allow outbound traffic from the LAN zone going to IP addresses within the DMZ. 1.3.6 Implement stateful inspection, also known as dynamic packet filtering. (That is, only established connections are allowed into the network.) The NETGEAR ProSecure UTM performs stateful packet inspection. 3

PCI DSS Requirement Details NETGEAR Solution 1.3.7 1.3.8 Place the database in an internal network zone, segregated from the DMZ Implement IP masquerading to prevent internal addresses from being translated and revealed on the Internet, using RFC 1918 address space. Use network address translation (NAT) technologies for example, port address translation (PAT). configurable DMZ where traffic to and from the trusted network is restricted unless otherwise specified in the firewall configuration. The database can be placed in the LAN zone, thus segregated from the DMZ. Network Address Translation (NAT) and port address translation (PAT) are standard features of the NETGEAR ProSecure UTM. Requirement 2: Do Not Use Vendor-Supplied Defaults for System Passwords and Other Security Parameters 2.1 2.2.2 Always change vendor-supplied defaults before installing a system on the network for example, include passwords, simple network management protocol (SNMP) community strings, and elimination of unnecessary accounts. Disable all unnecessary and insecure services and protocols (services and protocols not directly needed to perform the devices specified function) The NETGEAR ProSecure UTM contains a simple 10-step setup wizard where the administrator can change the default admin password before installing the UTM onto the network. firewall and content filter policies that can be configured to provide detailed granular control over which protocols, ports, and content are allowed through the UTM. Additionally, patent-pending Stream Scanning technology, along with enterprise-class anti-virus, anti-spyware, and intrusion detection technologies keep your network safe from threats that take advantage of services and protocols that have been allowed by policy. 2.2.3 2.3 Protect Cardholder Data Configure system security parameters to prevent misuse Encrypt all non-console administrative access. Use technologies such as SSH, VPN, or SSL/TLS (transport layer security) for web-based management and other non-console administrative access. firewall and content filter policies that can be configured to provide detailed granular control over which protocols, ports, and content are allowed through the UTM. encrypted HTTPS Web-based management. Requirement 4: Encrypt Transmission of Cardholder Data Across Open, Public Networks Use strong cryptography and security protocols such as secure sockets layer (SSL) / transport layer security (TLS) and Internet protocol security (IPSec) to safeguard sensitive cardholder data during transmission over open, public networks. 4 4.1 Examples of open, public networks that are in scope of the PCI DSS are: The Internet Wireless technologies Global System for Mobile communications (GSM) General Packet Radio Service (GPRS) The NETGEAR ProSecure UTM support both SSL and IPsec VPN connections for secure data transmission over public networks.

PCI DSS Requirement Details NETGEAR Solution Maintain a Vulnerability Management Program Requirement 5: Use and Regularly Update Anti-Virus Software or Programs 5.1 Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers). best-of-breed anti-virus/anti-malware scan engine, which is an essential compliment to the anti-virus software installed on individual computers. 5.1.1 Ensure that anti-virus programs are capable of detecting, removing, and protecting against all known types of malicious software. The NETGEAR ProSecure UTM employs a comprehensive, best-of-breed security solution, including proactive, "zero-hour" detection and patent-pending Stream Scanning technology to proactively protect business networks from over 13 million types of viruses, worms, spyware, trojans, rootkits, keyloggers, and other Internet-based threats. 5.2 Ensure that all anti-virus mechanisms are current, actively running, and capable of generating audit logs. The NETGEAR ProSecure UTM signature database is automatically updated around the clock to meet the objectives of this requirement. Malware detections are logged by the UTM. Requirement 6: Develop and Maintain Secure Systems and Applications 6.1 6.2 Ensure that all system components and software have the latest vendor-supplied security patches installed. Install critical security patches within one month of release. Establish a process to identify newly discovered security vulnerabilities (for example, subscribe to alert services freely available on the Internet). Update configuration standards as required by PCI DSS Requirement 2.2 to address new vulnerability issues. The NETGEAR ProSecure UTM automatically checks and downloads the latest firmware version to the appliance. The administrator can then install it from the Web-based management interface. NETGEAR provides comprehensive online resources for information on the latest threats and vulnerabilities, updated around the clock by NETGEAR security experts to keep you continuously informed about threats as they emerge. 6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods: Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes Installing a web-application firewall in front of public-facing web applications The NETGEAR ProSecure UTM s IPS, Web anti-malware scanning, URL filtering capabilities can be used in conjunction with its firewall policies to protect public facing web-applications/servers. 5

PCI DSS Requirement Details NETGEAR Solution Implement Strong Access Control Measures Requirement 8: Assign a Unique ID to Each Person with Computer Access 8.2 8.3 8.4 Regularly Monitor and Test Networks In addition to assigning a unique ID, employ at least one of the following methods to authenticate all users: Password or passphrase Two-factor authentication (for example, token devices, smart cards, biometrics, or public keys) Incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties. Use technologies such as remote authentication and dial-in service (RADIUS); terminal access controller access control system (TACACS) with tokens; or VPN (based on SSL/TLS or IPSEC) with individual certificates. Render all passwords unreadable during transmission and storage on all system components using strong cryptography. two-factor authentication. two-factor authentication, including WIKID, Radius, LDAP, and individual VPN certificates. All data and passwords used to communicate with NETGEAR ProSecure UTM Web-based management interface are SSL encrypted. All file systems on the UTM are encrypted. Requirement 10: Track and Monitor all Access to Network Resources and Cardholder Data 10.1 10.2.1 10.2.2 Establish a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user. All individual user accesses to cardholder data All actions taken by any individual with root or administrative privileges Actions performed by users in the UTM Web-based management interface are logged by the UTM. 10.2.3 Access to all audit trails 10.2.4 Invalid logical access attempts 10.2.5 Use of identification and authentication mechanisms Actions performed by users in the UTM Web-based management interface are logged by the UTM. 10.2.6 Initialization of the audit logs 10.2.7 Creation and deletion of system-level objects 6

PCI DSS Requirement Details NETGEAR Solution 10.3 Record at least the following audit trail entries for all system components for each event: 10.3.1 User identification 10.3.2 Type of event 10.3.3 Date and time 10.3.4 Success or failure indication Actions performed by users in the UTM Web-based management interface are logged by the UTM. 10.3.5 Origination of event 10.3.6 Identity or name of affected data, system component, or resource 10.4 Synchronize all critical system clocks and times. NTP synchronization. 10.6 Review logs for all system components at least daily. Log reviews must include those servers that perform security functions like intrusion detection system (IDS) and authentication, authorization, and accounting protocol (AAA) servers (for example, RADIUS). Note: Log harvesting, parsing, and alerting tools may be used to achieve compliance with Requirement 10.6. The NETGEAR ProSecure UTM keeps the following logs: Traffic, Malware, Spam, Content Filter, Email Filter, System, Service, IPS, Port Scan, IM, P2P, Firewall, IPsec VPN, SSL VPN Requirement 11: Regularly Test Security Systems and Processes 11.4 Use network intrusion detection systems, host-based intrusion detection systems, and intrusion prevention systems to monitor all network traffic and alert personnel to suspected compromises. Keep all intrusion detection and prevention engines up-to-date. The Netgear ProSecure UTM s network intrusion prevention and detection system utilizes a rule-driven language, which combines the benefits of signature, protocol and anomaly based inspection methods, preventing hackers from penetrating the network perimeter. G o i n g B e y o n d P C I C o m p l i a n c e PCI compliance is an important start to securing the company's network. However, it is important to note that in addition to being PCI compliant, there are other important aspects of the network not covered by the PCI DSS. Business-critical company information and other network assets are still at risk from hackers, malicious programs, and other Internet-based threats. Security experts receive approximately 15 million unique malware samples each year and new threat types and attack vectors are continuously emerging. To effectively combat these continuously emerging threats, IT managers must develop comprehensive security measures that include a robust firewall and a comprehensive suite of Internet security solutions. As illustrated in the table above, the NETGEAR ProSecure UTM is a comprehensive security solution to help you achieve and maintain PCI compliance. Additionally, the ProSecure UTM provides additional security benefits to help you protect your network from an array of Internet-based threats. 7

NETGEAR ProSecure Gateway Security Appliance Solutions The ProSecure STM and UTM Gateway Security Appliances feature a proven firewall, SSL and IPsec VPN support, IPS, and enterprise-class content security filters to prevent unauthorized access to system components inside the company network. The ProSecure STM and UTM Gateway Security Appliances feature patent pending Stream Scanning technology that is designed to scan data streams as they enter the network. With Stream Scanning technology, the NETGEAR STM and UTM are able to process large amounts of data in real-time, using a single scan to identify spam, malware, security breaches, or unnecessary applications. This ensures that users on the network receive their email and Web content clean and without delay. The ProSecure STM and UTM Gateway Security Appliances offer straight forward installation and maintenance. The STM is a transparent bridge that seamlessly integrates into existing network architectures. The UTM is an all-in-one network security solution that replaces any existing firewall or router. Each solution comes equipped with all the security software needed for your business with no per user licenses required. NETGEAR, the NETGEAR logo, Connect with Innovation and ProSecure are trademarks and/or registered trademarks of NETGEAR, Inc. and/or its subsidiaries in the United States and/or other countries. Other brand names mentioned herein are for identification purposes only and may be trademarks of their respective holder(s). Information is subject to change without notice. 2009 NETGEAR, Inc. All rights reserved. www.prosecure.netgear.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information